[4925] [2.0 RC3] membersAllowedTo doesn't deal with post count groups

Started by Arantor, May 06, 2010, 11:34:46 AM

Previous topic - Next topic

Arantor

Within Subs-Members.php there is a function for getting all the members that have a given permission, optionally within a specific board.

It gets the data from groupsAllowedTo(), which is simply a list of all the groups that would be allowed to have a specific permission (optionally in the specified board), then membersAllowedTo() looks up all the members that that fits.

Let's say for the sake of argument, we've called a permission that counts for groups 1, 2 and 4 - admins, global moderators and Newbie. It's slightly contrived but it explains the problem.

The query produced takes the form of WHERE mem.id_group IN (1,2,4) OR FIND_IN_SET(2, mem.additional_groups) != 0 OR FIND_IN_SET(4, mem.additional_groups) != 0 OR FIND_IN_SET(1, mem.additional_groups) != 0

I'm leaving out the matter of board moderators being included, but it doesn't actually affect the net result: you still get a query that never looks at mem.id_post_group, so even if groupsAllowedTo gives you a post count group, it will never match for this purpose, even if it's only given based on post count group.


I'm not sure if you'd classify this as a bug, exactly. But I'd argue it should at least be considered, in the places it's used, and figured out whether it should be altered.

* Arantor encountered this in looking over SMF's permissions for writing new for SimpleDesk.

Norv

I think I remember something of this kind being reported previously. Anyway I'd agree that post-count groups should be considered, it just isn't clear to me in what scenarios are we talking about, here.
Worth looking into, anyway, IMHO.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

emanuele

So, the interested function is membersAllowedTo that is used in:
* Reports.php to list global moderators and admin,
* Profile-Modify.php to find the members that have manage_membergroups permission to send a notification of the new request,
* SendTopic.php to "Get a list of members with the moderate_board permission." in ReportToModerator2 (send a report).

It's unlikely I think that a post based membergroup can have any of the permission checked by this function right now, but is also true that for future use it could be useful to have the post based membergroups in the query too.

Here the query is:
$request = $smcFunc['db_query']('', '
SELECT mem.id_member
FROM {db_prefix}members AS mem' . ($include_moderators || $exclude_moderators ? '
LEFT JOIN {db_prefix}moderators AS mods ON (mods.id_member = mem.id_member AND mods.id_board = {int:board_id})' : '') . '
WHERE (' . ($include_moderators ? 'mods.id_member IS NOT NULL OR ' : '') . 'mem.id_group IN ({array_int:member_groups_allowed}) OR FIND_IN_SET({raw:member_group_allowed_implode}, mem.additional_groups) != 0)' . (empty($member_groups['denied']) ? '' : '
AND NOT (' . ($exclude_moderators ? 'mods.id_member IS NOT NULL OR ' : '') . 'mem.id_group IN ({array_int:member_groups_denied}) OR FIND_IN_SET({raw:member_group_denied_implode}, mem.additional_groups) != 0)'),
array(
'member_groups_allowed' => $member_groups['allowed'],
'member_groups_denied' => $member_groups['denied'],
'board_id' => $board_id,
'member_group_allowed_implode' => implode(', mem.additional_groups) != 0 OR FIND_IN_SET(', $member_groups['allowed']),
'member_group_denied_implode' => implode(', mem.additional_groups) != 0 OR FIND_IN_SET(', $member_groups['denied']),
)
);


it should become (I think):
$request = $smcFunc['db_query']('', '
SELECT mem.id_member
FROM {db_prefix}members AS mem' . ($include_moderators || $exclude_moderators ? '
LEFT JOIN {db_prefix}moderators AS mods ON (mods.id_member = mem.id_member AND mods.id_board = {int:board_id})' : '') . '
WHERE (' . ($include_moderators ? 'mods.id_member IS NOT NULL OR ' : '') . 'mem.id_group IN ({array_int:member_groups_allowed}) OR FIND_IN_SET({raw:member_group_allowed_implode}, mem.additional_groups) != 0 OR mem.id_post_group IN ({array_int:member_groups_allowed}))' . (empty($member_groups['denied']) ? '' : '
AND NOT (' . ($exclude_moderators ? 'mods.id_member IS NOT NULL OR ' : '') . 'mem.id_group IN ({array_int:member_groups_denied}) OR FIND_IN_SET({raw:member_group_denied_implode}, mem.additional_groups) != 0 OR mem.id_post_group IN ({array_int:member_groups_denied}))'),
array(
'member_groups_allowed' => $member_groups['allowed'],
'member_groups_denied' => $member_groups['denied'],
'board_id' => $board_id,
'member_group_allowed_implode' => implode(', mem.additional_groups) != 0 OR FIND_IN_SET(', $member_groups['allowed']),
'member_group_denied_implode' => implode(', mem.additional_groups) != 0 OR FIND_IN_SET(', $member_groups['denied']),
)
);



Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

emanuele

Oh well, I applied it. :P

commit 0f3cf7dfdcea7b374022e1a3b6df1ffd69a879be
Author: emanuele
Date:   Sun Oct 14 2012

    membersAllowedTo should now deal with post-based membergroups [Topic 380058] - Thanks Arantor for the report


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

GL700Wing

I've noticed this is not in Subs-Members.php in SMF 2.0.14 - it is implemented some other way/no longer necessary?
Life doesn't have to be perfect to be wonderful ...

Illori

please stop bumping old topics, as it stats in the message above yours the fix was committed.

Advertisement: